xml-crypto icon indicating copy to clipboard operation
xml-crypto copied to clipboard

Published 20 hours ago verified publisher icon yaronn

Double Transform elements works, but causing issues

Open QAnders opened this issue 3 years ago • 8 comments

First off, thanks so much for this module, awesome! Next, I am not too familiar with XML singing and have had a difficult time actually verifying that the signature is OK but it has been running fine for some time...

The problem being that we add two <Transform> elements in order to produce a valid signature. You can see the signed request here: http://b-0389251a222dab85cf34ef28fa5672f0.iso6523-actorid-upis.acc.edelivery.tech.ec.europa.eu/iso6523-actorid-upis::0007:5567321707/services/busdox-docid-qns::urn:oasis:names:specification:ubl:schema:xsd:Invoice-2::Invoice##urn:cen.eu:en16931:2017#compliant#urn:fdc:peppol.eu:2017:poacc:billing:3.0::2.1

It is part of a standardized listing for Peppol SMP (Peppol.eu).

The XML is, as I said, valid and signed correctly but the specification states: image

If I remove the additional <Transform> it is not producing a valid XML signature anymore.

My code is as follows:

  const SignedXml = require('xml-crypto').SignedXml;

  let sig = new SignedXml();

  sig.addReference(
    ".//*[local-name(.)='SignedServiceMetadata']",
    [
      'http://www.w3.org/2000/09/xmldsig#enveloped-signature',
      'http://www.w3.org/2001/10/xml-exc-c14n#'
    ],
    'http://www.w3.org/2000/09/xmldsig#sha1',
    '',
    '',
    '',
    true
  );

  sig.signatureAlgorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
  sig.canonicalizationAlgorithm =
    'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';

  sig.signingKey = SMP_QVALIA_PRIVKEY;

  sig.keyInfoProvider = {
    getKeyInfo: (key, prefix) => {
      return `<X509Data><X509SubjectName>${process.env.SMP_QVALIA_CN}</X509SubjectName><X509Certificate>${SMP_QVALIA_PUBKEY}</X509Certificate></X509Data>`;
    }
  };

  sig.computeSignature(xml);

  let signedXml = sig.getSignedXml();

The above creates teh valid signing but according to the spex I need to remove 'http://www.w3.org/2001/10/xml-exc-c14n#' but doing that the signature becomes invalid...

I think this issue is related: https://github.com/yaronn/xml-crypto/issues/210

QAnders avatar Jul 07 '21 09:07 QAnders

I can also add that if I am using Canonicalization http://www.w3.org/2001/10/xml-exc-c14n# it is showing again as an invalid signing and only http://www.w3.org/TR/2001/REC-xml-c14n-20010315 works with it.

According to the specification I am trying to follow we should be using http://www.w3.org/2001/10/xml-exc-c14n#.

The edited code as this seems to be OK:

const SignedXml = require('xml-crypto').SignedXml;

  let sig = new SignedXml();

  sig.addReference(
    ".//*[local-name(.)='SignedServiceMetadata']",
    [
      'http://www.w3.org/2000/09/xmldsig#enveloped-signature'
    ],
    'http://www.w3.org/2000/09/xmldsig#sha1',
    '',
    '',
    '',
    true
  );

  sig.signatureAlgorithm = 'http://www.w3.org/2000/09/xmldsig#rsa-sha1';
  sig.canonicalizationAlgorithm = 'http://www.w3.org/TR/2001/REC-xml-c14n-20010315';

  sig.signingKey = SMP_QVALIA_PRIVKEY;

  sig.keyInfoProvider = {
    getKeyInfo: (key, prefix) => {
      return `<X509Data><X509SubjectName>${process.env.SMP_QVALIA_CN}</X509SubjectName><X509Certificate>${SMP_QVALIA_PUBKEY}</X509Certificate></X509Data>`;
    }
  };
  

  sig.computeSignature(xml);

  let signedXml = sig.getSignedXml();

However, changing sig.canonicalizationAlgorithm = 'http://www.w3.org/2001/10/xml-exc-c14n#'; breaks the signature again...

QAnders avatar Jul 08 '21 07:07 QAnders

I have exactly same problem. Third party API gives me the same error. Any solutions yet?

artkarki avatar Jul 20 '21 07:07 artkarki

any response on this?

abhinandanValetEZ avatar Aug 10 '22 10:08 abhinandanValetEZ

We have a workaround where we're ignoring the second transform from being added inside the library.

In the following file: xml-crypto/lib/signed-xml.js on line no 909, add the following 2 lines:

if(transform.getAlgorithmName() == 'http://www.w3.org/2001/10/xml-exc-c14n#')
          continue;

It would ignore the second transform from being added in the signed xml.

cyberrspiritt avatar Aug 18 '22 06:08 cyberrspiritt

Any solution? I have the same problem, just i need envelopedsignature

clucher91 avatar Oct 01 '22 13:10 clucher91

We have a workaround where we're ignoring the second transform from being added inside the library.

In the following file: xml-crypto/lib/signed-xml.js on line no 909, add the following 2 lines:

if(transform.getAlgorithmName() == 'http://www.w3.org/2001/10/xml-exc-c14n#')
          continue;

It would ignore the second transform from being added in the signed xml.

Refer this. It works for us.

cyberrspiritt avatar Oct 02 '22 02:10 cyberrspiritt

Refer this. It works for us.

Thanks @cyberrspiritt for your help!, my problem is another now. I was able to sign the xml as requested, but when i try to sign a xml with schema requested digest value is wrong. I'm trying to sign "SetDTE". Any suggestions??

Failed digest value

<EnvioBOLETA xmlns="http://www.sii.cl/SiiDte"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sii.cl/SiiDte EnvioBOLETA_v11.xsd" version="1.0">
    <SetDTE>
...

OK digest value

<EnvioBOLETA>
    <SetDTE>
...

clucher91 avatar Oct 02 '22 19:10 clucher91

@cyberrspiritt , if that solution worked for you, would you mind creating a PR with a test suite and making a PR so that the community can benefit and so that you don't have to maintain a fork?

cjbarth avatar May 29 '23 21:05 cjbarth